From: Aaron Lauterer <a.lauterer@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Dominik Csapak <d.csapak@proxmox.com>
Subject: Re: [pve-devel] [PATCH cluster v8 4/4] DataCenterConfig: add tag rights control to the datacenter config
Date: Wed, 9 Nov 2022 15:42:21 +0100 [thread overview]
Message-ID: <1a3009d9-8232-bd8f-067f-466ff1b9d3ec@proxmox.com> (raw)
In-Reply-To: <20221018140226.598710-5-d.csapak@proxmox.com>
On 10/18/22 16:02, Dominik Csapak wrote:
> by adding a 'user-tag-privileges' and 'admin-tags' option.
> The first sets the policy by which "normal" users (with
> 'VM.Config.Options' on the respective guest) can create/delete tags
> and the second is a list of tags only settable by 'admins'
> ('Sys.Modify' on '/')
>
> also add a helper 'get_user_admin_tags' that returns two hashmaps that
> determines the allowed user tags and admin tags that require elevated
> permissions
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> data/PVE/DataCenterConfig.pm | 93 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 93 insertions(+)
>
> diff --git a/data/PVE/DataCenterConfig.pm b/data/PVE/DataCenterConfig.pm
> index bb29d26..e2140ff 100644
> --- a/data/PVE/DataCenterConfig.pm
> +++ b/data/PVE/DataCenterConfig.pm
> @@ -154,6 +154,26 @@ my $tag_style_format = {
> },
> };
>
> +my $user_tag_privs_format = {
> + 'usable' => {
> + optional => 1,
> + type => 'string',
> + enum => ['none', 'list', 'existing', 'free'],
> + default => 'free',
> + dscription => "Determines which tags a user without Sys.Modify on '/' can set and delete. ".
s/dscription/description/
> + "'none' means no tags are settable.'list' allows tags from the given list. ".
> + "'existing' means only already existing tags or from the given list. ".
> + "And 'free' means users can assign any tags."
> + },
> + 'list' => {
> + optional => 1,
> + type => 'string',
> + pattern => "${PVE::JSONSchema::PVE_TAG_RE}(?:\;${PVE::JSONSchema::PVE_TAG_RE})*",
> + typetext => "<tag>[;<tag>=...]",
> + description => "List of tags users are allowd to set and delete (semicolon separated).",
> + },
> +};
> +
> my $datacenter_schema = {
> type => "object",
> additionalProperties => 0,
> @@ -285,12 +305,60 @@ my $datacenter_schema = {
> description => "Tag style options.",
> format => $tag_style_format,
> },
> + 'user-tag-privileges' => {
> + optional => 1,
> + type => 'string',
> + description => "Privilege options for user settable tags",
> + format => $user_tag_privs_format,
> + },
> + 'admin-tags' => {
> + optional => 1,
> + type => 'string',
> + description => "A list of tags only admins (Sys.Modify on '/') are allowed to set/delete",
> + pattern => "(?:${PVE::JSONSchema::PVE_TAG_RE};)*${PVE::JSONSchema::PVE_TAG_RE}",
> + },
> },
> };
>
Is it possible to add a "typetext" for admin-tags as well? The `pvesh usage
--verbose` output for the parameter looks rather confusing.
> # make schema accessible from outside (for documentation)
> sub get_datacenter_schema { return $datacenter_schema };
>
> +# returns two hashmaps of tags, the first is the list of tags that can
> +# be used by users with 'VM.Config.Options', and the second is a list
> +# that needs 'Sys.Modify' on '/'
> +#
> +# If the first map is 'undef', it means there is generally no restriction
> +# besides the tags defined in the second map.
> +#
> +# CAUTION: this function may include tags from *all* guest configs,
> +# regardless of the current authuser
> +sub get_user_admin_tags {
> + my $user_tags = {};
> + my $admin_tags = {};
> +
> + my $dc = PVE::Cluster::cfs_read_file('datacenter.cfg');
> + if (my $user_tag_privs = $dc->{'user-tag-privileges'}) {
> + my $usable = $user_tag_privs->{usable} // 'free';
> + if ($usable eq 'free') {
> + $user_tags = undef;
> + } elsif ($usable eq 'existing') {
> + map { $user_tags->{$_} = 1 } ($user_tag_privs->{list} // [])->@*;
> + my $props = PVE::Cluster::get_guest_config_properties(['tags']);
> + for my $vmid (keys $props->%*) {
> + map { $user_tags->{$_} = 1 } PVE::Tools::split_list($props->{$vmid}->{tags});
Am I right that a permission check to only add the tags from guests for which
the user has the necessary permissions is computationally quite expensive?
I see two potential use cases here. One, a large organization that splits up
access for mgmt but would like to use the same tags throughout for consistency.
So getting all tags is fine.
The other would be one cluster with direct access for mgmt by different
customers. Seeing all the tags configured in the cluster could leak some private
information, depending on what tags have been assigned.
next prev parent reply other threads:[~2022-11-09 14:42 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-18 14:02 [pve-devel] [PATCH cluster/qemu-server/container/wt/manager v8] add tags to ui Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH cluster v8 1/4] add CFS_IPC_GET_GUEST_CONFIG_PROPERTIES method Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH cluster v8 2/4] Cluster: add get_guest_config_properties Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH cluster v8 3/4] datacenter.cfg: add option for tag-style Dominik Csapak
2022-11-10 9:54 ` Thomas Lamprecht
2022-10-18 14:02 ` [pve-devel] [PATCH cluster v8 4/4] DataCenterConfig: add tag rights control to the datacenter config Dominik Csapak
2022-11-09 14:42 ` Aaron Lauterer [this message]
2022-11-10 10:09 ` Thomas Lamprecht
2022-10-18 14:02 ` [pve-devel] [PATCH qemu-server v8] api: update: improve tag privilege check Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH container v8] check_ct_modify_config_perm: " Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH widget-toolkit v8 1/2] add tag related helpers Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH widget-toolkit v8 2/2] Toolkit: add override for Ext.dd.DragDropManager Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH manager v8 01/12] api: /cluster/resources: add tags to returned properties Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH manager v8 02/12] api: add /ui-options api call Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH manager v8 03/12] ui: call '/ui-options' and save the result in PVE.UIOptions Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH manager v8 04/12] ui: parse and save tag color overrides from /ui-options Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH manager v8 05/12] ui: tree/ResourceTree: collect tags on update Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH manager v8 06/12] ui: add form/TagColorGrid Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH manager v8 07/12] ui: dc/OptionView: add editors for tag settings Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH manager v8 08/12] ui: add form/Tag Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH manager v8 09/12] ui: add form/TagEdit.js Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH manager v8 10/12] ui: {lxc, qemu}/Config: show Tags and make them editable Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH manager v8 11/12] ui: tree/ResourceTree: show Tags in tree Dominik Csapak
2022-10-18 14:02 ` [pve-devel] [PATCH manager v8 12/12] ui: add tags to ResourceGrid and GlobalSearchField Dominik Csapak
2022-11-07 14:56 ` [pve-devel] [PATCH manager] ui: add missing tag classes Dominik Csapak
2022-11-09 13:11 ` [pve-devel] [PATCH cluster/qemu-server/container/wt/manager v8] add tags to ui Aaron Lauterer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1a3009d9-8232-bd8f-067f-466ff1b9d3ec@proxmox.com \
--to=a.lauterer@proxmox.com \
--cc=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox